Petya
Petya 'is a ransomware on Microsoft Windows, with MBR-infection capabilities, created by a malware group called ''"Janus Cybercrime Solutions". It mostly infects computers in Europe (especially Germany), but has began to spread into Asia. Some companies are still currently struggling replacing computers infected with ''Petya''. There are three variants of Petya: the original 2016 variant (standard Petya), and the new 2017 variant, which many security researchers have called as NotPetya, ''with another one, ''BadRabbit. NotPetya is actually a wiper and it completely destroys the computer. ''NotPetya'' is now considered to be a destructive malware. The user's data is gone unless a backup if present, because the encryption keys are randomly generated and then destroyed. Petya (the 2016 variant), however, can be recovered and the master key used for encryption was released. Payload Petya's core is a DLL file, it can be run by system processes, but mostly it's run by a EXE file, that is created by the virus authors. It appears in spam messages containing links that download a ZIP archive. The archive contains the trojan’s executable file and a JPEG image. The file names are in German language (ES: Bewerbungsunterlagen.PDF.exe), and are made to look like resumes for job candidates, and target HR staff in German-speaking countries. These EXE files appair with a PDF icon, and with an Administrator manifest; they are also packed and encrypted in a hard-to-analyze way, that makes the code difficult to detect even by heuristic means. If these files are run with Administrator privileges, they will decrypt, they will adjust their privileges (by enabling the SeTcbPrivilege, the SeDebugPrivilege ''and the ''SeShutdownPrivilege by using "AdjustTokenPrivileges") and they will run from the memory (the RAM) the "setup.dll" file, the Petya DLL (and it's core), by executing it's only function, "_ZuWQdweafdsg345312@0". The DLL is written in C'' and created in ''Visual Studio. When the DLL will run, it will decrypt it's ".xxxx" section, embedded in the DLL file as readable section, and it will run the code present in it. The code present in the section will run the "DeviceIoControl" ''Microsoft Windows'' API against the primary hard drive, and it will get the partition style, by parsing the "PARTITION_INFORMATION_EX" structure and the "PartitionStyle" value present in it. If the partition style is MBR, Petya ".xxxx" code will encrypt the boot sector (sector 0), with a XOR operation, and with the "0x37" key. The result is then written to the sector 56 of the primary hard drive. Every sector, from the first one to the sector 33 will be encrypted with the same operation. Petya code will generate a configuration script, that will be written to the sector 54, that will be used by the malware at the next boot. Petya will then create the verification sector 55 populated with the repeating byte 0x37, will copy the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; it will write it's first-level malicious code to the boot sector, and it will write it's second-level code to sectors 34 to 50 (referred to here as the malicious loader, the Petya's boot kernel). Then, it will call the function "NtRaiseHardError", which causes the operating system to generate a BSOD. This routine is not triggered if the SeShutdownPrivilege was never enabled; in that case Petya will do nothing. Petya kernel is not encrypted, and Petya's strings will be viewable. When "setup.dll" detects a GPT disk, it will get the address of the GPT header, it will encrypt the GPT header with the "0x37" key and it will do the same behavior that happens to MBR-''style hard disks. In the configuration sector (the sector ''54) there will be a "config.state" field, a "config.mal_urls" field (that will contain some Tor URLs to show), a "config.ec_data" (a decryption ID for the user, generated from the Salsa20 key) and a key ("config.salsa_key") for the Salsa20 encryption system that will be used in the encryption process of the MBR. CRYPT32.DLL APIs will be used, especially the "CryptGenRandom" and the "CryptAcquireContextA" API. When the system is booted again, the MBR (sector 0) will run the Petya kernel code that will be present in the sector 34 to the sector 50. Then, the kernel code will scan for every hard disk present in the machine and it will check the "config.state" field present in the sector 54. If it is set to 1'', the Petya's skull payload screen will be shown. If it's ''0, the encryption process will begin. A fake CHKDSK dialog will be displayed on the screen. The Salsa20 key ("config.salsa_key") will be extracted from the sector 54, ''the ''"config.state" field will be set to 1'', and the sector ''55 will be encrypted with the Salsa20 key. Then, Petya's kernel code will search for the MFT table on every connected hard disk. When a MFT table is found, it will be encrypted with the Salsa20 key. The sector 57 will be used as mark. Then, the key present in the sector 54 will be erased and the system will be rebooted (using the BIOS interrupt INT 19). The Petya payload screen is displayed, the "config.mal_urls" ''with the "config.ec_data"'' field is used. The trojan then will ask for a key, that will be verificated: if it's 16-bytes long, it will be turned into a Salsa20 key, and used against the sector 55. If it turns to be populated by 0x37 bytes, the key will be used for the decryption process (the MFT of every encrypted disk will be restored, and the "Please, reboot your computer!" dialog will be shown). C&C comunication is not needed by Petya, ''since the ID can be easily turned into a key by having the master keys of the encryption process (something that was released by the author, after). The variants are ''Mischa (green-on-black) and Goldeneye. On 30 August 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty to having spread a version of Petya online. NotPetya NotPetya is a dangerous wiper variant of Petya, that uses EternalBlue \ EternalRomance exploit to spread, unlike Petya, that used fake job mails to spread. NotPetya also encrypts files with a AES-256 algorithm, with a randomly generated key that is never stored. ''NotPetya's DLL is called "perfc.dat", and isn't loaded in memory, it's written and created to the WINDOWS folder, instead, and run with the "rundll32.exe" command, with the ordinal "#0" as parameter. Also, a randomly named TMP file will be created in the Temporary folder, that will be the Mimikatz credential theft module, that will be used for spreading: it will be run and heavily piped to the NotPetya process. The Mimikatz module will become a CNG cryptographic trusted provider, then use the API "OpenProcess" on "lsass.exe", and it will look for two DLLs, "wdisgest.dll" and "lsasrv.dll". Then, it will get every password that LSASS stored, by reading these two DLLs. The result will be piped. After, the "dllhost.dat" file will be created and executed, as "PsExec" utility, and used on every connected computer to spread. Then, the malware will search for random IPs and for 445 and 139 ports, for spreading by using the EternalBlue exploit. After being run, and, after every task was completed, the DLL "deletes" itself, by overwriting itself with zeroes. '''''NotPetya's kernel is stored right after the MBR, instead of being stored after the sector 34. NotPetya doesn't use the "NtRaiseHardError" function, instead, uses the "shutdown /r /f" command, with the "CreateProcess" API. This command will be also run: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:” That will destroy setup logs, system logs, security logs, application logs, and the USN journal of the disk. NotPetya doesn't generate the user ID out of the Salsa20 key, it generates a random one that doesn't work (by using the "CryptGenRandom" API). The skull image is absent (it was patched, turned into empty lines), and the ransomware note "You became victim of the Petya ransomware" is changed to "Oops, your important files are encrypted", with other changes to the ransomware note; also, NotPetya doesn't have a proper decryption routine, instead of Petya. ''It's also called "Petya.EOB!". There are even more differences: the sector 33 will be used as verification sector, and it will be populated by 0x7 bytes. The sector 32 is used as configuration sector, while the sector 34 will be populated by the 0x7 XOR encrypted MBR. These files will be encrypted, in every folder, except the ''WINDOWS one, by using CRYPT32.DLL: .3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx. .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip If NotPetya finds Kaspersky Antivirus processes; or, if the MBR infection was unsuccessful (caused also due to Secure Boot setting), NotPetya will destroy 10 sectors of every hard disk connected to the machine. BadRabbit BadRabbit is a Petya variant, with EternalRomance spreading capabilities. It pretends to be a Adobe Flash update, and it requests Administrator privileges. If the malware gets wanted privileges, it creates the "infpub.dat" file in the WINDOWS folder, the BadRabbit main DLL. The "rundll32.exe" file it's run against the BadRabbit DLL, with the "#1 15" string as parameter. It also creates the files "cscc.dat" and "dispci.exe". "dispci.exe" is scheduled by the DLL using "chtasks", as SYSTEM privileged task, called "rhaegal", and with a "-id" command passed to it as argument. Is a EXE file that will send precise commands to "cscc.dat" (by using "DeviceIoControl" function), and that will encrypt the disk. "cscc.dat" is then launched as SYSTEM-privileged service, by using the function "CreateServiceW", as "Windows Client Side Caching DDriver". It's the disk encryption component of the malware, it's legitimate and part of the utility "DiskCryptor", like part of the "dispci.exe" file. The file "xxxx.tmp" will be also created, a Mimikatz module that will be used to steal credentials from the machine and to spread into the network. "dispci.exe" will send IOCTL command that will encrypt the disk, the bootloader willl not be a Petya one, will be a DiskCryptor legitimate but, modified one, that will run the BadRabbit kernel. "dispci.exe" will then restart the system, after a while. The malware, then, will encrypt every file present on the machine, probably AES in CBC mode (256 used), with RSA-2048, making them undecryptable. The file "Readme.txt" will be present in every encrypted folder, and it will contain the same message that will be displayed on the screen after. The malware will skip the "Windows" folder, the "Program Files" folder, the "Program Data" folder and the "AppData" folder. The key will be randomly generated, using the CRYPT32.DLL API "CryptGenRandom". The following extensions will be encrypted and turned into encrypted files (the ".encrypted" extension will be added to encrypted files): 3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx x ml xvd zip There will not be any CHKDSK screen, and a message similar to the NotPetya one will be displayed on the screen. The "shutdown" command will be used, in the same way as NotPetya uses it, instead of the "NtRaiseHardError" function. PetrWrap PetrWrap is a variant of Petya. When PetrWrap it's run, it sleeps for 5400 seconds (1,5 hours). After, it decrypts a modified version of the "setup.dll" from the original Petya ransomware. The DLL will be loaded in memory, it's entry point will be erased with NOPs (0x90 opcode) and two functions of the DLL ".xxxx" section will be hooked (called "petya_infect" and "petya_generate_config") by the malware. Then, it's function "ZuWQdweafdsg345312" will be called, same ".xxxx" section will be decrypted and run. The DLL's encryption method will be replaced with a new one, with routines taken from OpenSSL, with different master keys, that only the authors of PetrWrap own. The "petya_infect" routine will be modified by the hooking PetrWrap EXE. This function will inject the Petya kernel into the disk, and it will generate the Salsa20 key that's used by the kernel. The Salsa20 key that this function generates for the Petya kernel part will be saved for later, the kernel code will be altered in a manner that will make it skip the flashing skull part and that will make the Petya ransom note change into a new one, PetrWrap defined. The "petya_generate_config" function will be modified by the hooking PetrWrap EXE too. This function will generate configuration data for the Petya kernel, that will be used in the ransom note, such as the user ID, ''or the ''Tor Petya links list. PetrWrap will alter the function in a way that will make the function generate an ID, it will generate a new ID using a PetrWrap-only cryptographic algorithm and then, PetrWrap will replace the previous ID with a new one. Only these changes make this version of Petya different. It's undecryptable, but it's not a wiper, making it a strong ransomware. Preventing Encryption Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not begun encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files. Name The name "Petya" is a reference to the 1995 James Bond film GoldenEye, wherein Petya is one of the two Soviet weapon satellites which carry a "Goldeneye" – an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse. A Twitter account that Heise suggested may have belonged to the author of the malware, named "Janus Cybercrime Solutions" after Alec Trevelyan's crime group in GoldenEye, had an avatar with an image of GoldenEye character Boris Grishenko, a Russian hacker and antagonist in the film played by Scottish actor Alan Cumming. Media Petya NotPetya BadRabbit Affected companies and organizations * Rosneft (Russia) * A.P. Moller-Maersk (Danish) * WPP (United Kingdom) * Merck & Co. * Russian banks (Russia) * Ukraine central bank and power grid (Ukraine) * Boryspil Airport (Ukraine) * Saint Gobain (France) * Duetsche Post (Germany) * Metro (Germany) * Mondelez International (United States) * Everaz (Russia) * Norwegian unnamed international company (Norway) * Mars Inc. (United States) * Beiersdorf AG (India) * Reckitt Benckiser (United Kingdom) Sources * https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ * https://www.ft.com/content/884992a8-5da7-11e7-9bc8-8055f264aa8b * https://www.tomshardware.com/news/petya-ransomware-master-key-released,34961.html * https://securelist.com/petya-the-two-in-one-trojan/74609/ Category:Ransomware Category:Win32 Category:Win32 ransomware Category:Microsoft Windows Category:Wiper Category:Win32 wiper